Reg comments16

Apple empties gas can, strikes match, burns bridge to hot-patch apps

Injecting arbitrary parameters into dynamic methods violates dev rules

Apple has begun informing a limited number of developers using hot patching frameworks that doing so violates its rules.

The developers put on notice appear to be using either Rollout.io or JSPatch, because each is capable of changing the behavior or functionality of apps after Apple's approval review.

Apple did not immediately respond to a request for comment.

Rollout.io provides a service that lets developers "push code-level changes to native iOS apps, without waiting on the App Store."

Like JSPatch, it allows direct access to native APIs, including APIs that Apple has designated for its private use. In so doing, these frameworks provide an avenue for potential misuse.

Security firm FireEye anticipated that Rollout.io and JSPatch might prove problematic a year ago when it described the risks posed by hot patching, such as making premium phone calls without consent, taking screenshots without consent, and checking for the presence of specific apps.

While many apps employ some method to update content outside of the App Store Review process, Apple in a notice (posted by the developer who received it) cites specific concerns about "any code which passes arbitrary parameters to dynamic methods" in order to change app behavior.

Being able to update apps without waiting days or weeks for review is highly desirable in many circumstances. Among the various ways to do so – WebView components, replacing assets on a backend server, or a framework like Expo or Microsoft's CodePush – it's Rollout.io and JSPatch that appear to be rubbing Apple the wrong way.

In a blog post, Erez Rusovsky, CEO of Rollout.io, said that while Apple has not changed its guidelines, it appears to have begun interpreting them more narrowly. "We are disappointed that Apple has made this change before we have had an opportunity to address any concerns," he said.

Speaking to The Register by phone, Rusovsky said Apple has not reached out to his company to help it understand how to be compliant with developer rules. He said there are about 500 apps being distributed with Rollout's software and he expects most of the developers involved have been contacted.

While it's unclear whether Rollout.io can be made to comply with Apple's requirements, Rusovsky said his company is about to introduce a different developer-oriented service that doesn't raise the same security concerns.

"The idea is giving teams a way to continuously release new features in a safe way," he said.

Charlie Cheever, CEO of Expo.io, said he believes Apple is concerned about security.

"I think the crux of what Apple was going for here is really the way that Objective-C's dynamic nature was being exploited to basically call any method including private APIs," he said in an email to The Register.

Expo, which is based on React Native, handles updates differently, Cheever explained. "Your JavaScript will only call into a set of native calls that have been audited and reviewed at App Store submission time (and so are known to not include calls to private APIs, etc)," he said.

On the phone, Cheever observed that the use of frameworks for updating apps on the fly is pretty common and is becoming more so.

Apple's decision to add support in iOS 10.3 (now in beta) for changing Home screen app icons outside of the review process (with user approval) suggests it is aware of the appeal of hot patching.

Given that awareness, it's certainly possible Apple could some day offer developers a service that provides an automated, rapid way to update apps without revisiting review purgatory. It might even find a way to charge for the service. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017